summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5482.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc5482.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc5482.txt')
-rw-r--r--doc/rfc/rfc5482.txt787
1 files changed, 787 insertions, 0 deletions
diff --git a/doc/rfc/rfc5482.txt b/doc/rfc/rfc5482.txt
new file mode 100644
index 0000000..8bef6cb
--- /dev/null
+++ b/doc/rfc/rfc5482.txt
@@ -0,0 +1,787 @@
+
+
+
+
+
+
+Network Working Group L. Eggert
+Request for Comments: 5482 Nokia
+Category: Standards Track F. Gont
+ UTN/FRH
+ March 2009
+
+
+ TCP User Timeout Option
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (c) 2009 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents in effect on the date of
+ publication of this document (http://trustee.ietf.org/license-info).
+ Please review these documents carefully, as they describe your rights
+ and restrictions with respect to this document.
+
+Abstract
+
+ The TCP user timeout controls how long transmitted data may remain
+ unacknowledged before a connection is forcefully closed. It is a
+ local, per-connection parameter. This document specifies a new TCP
+ option -- the TCP User Timeout Option -- that allows one end of a TCP
+ connection to advertise its current user timeout value. This
+ information provides advice to the other end of the TCP connection to
+ adapt its user timeout accordingly. Increasing the user timeouts on
+ both ends of a TCP connection allows it to survive extended periods
+ without end-to-end connectivity. Decreasing the user timeouts allows
+ busy servers to explicitly notify their clients that they will
+ maintain the connection state only for a short time without
+ connectivity.
+
+
+
+
+
+
+
+
+
+Eggert & Gont Standards Track [Page 1]
+
+RFC 5482 TCP User Timeout Option March 2009
+
+
+Table of Contents
+
+ 1. Introduction ....................................................2
+ 2. Conventions .....................................................3
+ 3. Operation .......................................................4
+ 3.1. Changing the Local User Timeout ............................5
+ 3.2. UTO Option Reliability .....................................8
+ 3.3. Option Format ..............................................8
+ 3.4. Reserved Option Values .....................................9
+ 4. Interoperability Issues .........................................9
+ 4.1. Middleboxes ................................................9
+ 4.2. TCP Keep-Alives ...........................................10
+ 5. Programming and Manageability Considerations ...................10
+ 6. Security Considerations ........................................10
+ 7. IANA Considerations ............................................12
+ 8. Acknowledgments ................................................12
+ 9. References .....................................................12
+ 9.1. Normative References ......................................12
+ 9.2. Informative References ....................................13
+
+1. Introduction
+
+ The Transmission Control Protocol (TCP) specification [RFC0793]
+ defines a local, per-connection "user timeout" parameter that
+ specifies the maximum amount of time that transmitted data may remain
+ unacknowledged before TCP will forcefully close the corresponding
+ connection. Applications can set and change this parameter with OPEN
+ and SEND calls. If an end-to-end connectivity disruption lasts
+ longer than the user timeout, a sender will receive no
+ acknowledgments for any transmission attempt, including keep-alives,
+ and it will close the TCP connection when the user timeout occurs.
+
+ This document specifies a new TCP option -- the TCP User Timeout
+ Option (UTO) -- that allows one end of a TCP connection to advertise
+ its current user timeout value. This information provides advice to
+ the other end of the connection to adapt its user timeout
+ accordingly. That is, TCP remains free to disregard the advice
+ provided by the UTO option if local policies suggest it to be
+ appropriate.
+
+ Increasing the user timeouts on both ends of a TCP connection allows
+ it to survive extended periods without end-to-end connectivity.
+ Decreasing the user timeouts allows busy servers to explicitly notify
+ their clients that they will maintain the connection state only for a
+ short time without connectivity.
+
+
+
+
+
+
+Eggert & Gont Standards Track [Page 2]
+
+RFC 5482 TCP User Timeout Option March 2009
+
+
+ In the absence of an application-specified user timeout, the TCP
+ specification [RFC0793] defines a default user timeout of 5 minutes.
+ The Host Requirements RFC [RFC1122] refines this definition by
+ introducing two thresholds, R1 and R2 (R2 > R1), that control the
+ number of retransmission attempts for a single segment. It suggests
+ that TCP should notify applications when R1 is reached for a segment,
+ and close the connection when R2 is reached. [RFC1122] also defines
+ the recommended values for R1 (3 retransmissions) and R2 (100
+ seconds), noting that R2 for SYN segments should be at least 3
+ minutes. Instead of a single user timeout, some TCP implementations
+ offer finer-grained policies. For example, Solaris supports
+ different timeouts depending on whether a TCP connection is in the
+ SYN-SENT, SYN-RECEIVED, or ESTABLISHED state [SOLARIS].
+
+ Although some TCP implementations allow applications to set their
+ local user timeout, TCP has no in-protocol mechanism to signal
+ changes to the local user timeout to the other end of a connection.
+ This causes local changes to be ineffective in allowing a connection
+ to survive extended periods without connectivity, because the other
+ end will still close the connection after its user timeout expires.
+
+ The ability to inform the other end of a connection about the local
+ user timeout can improve TCP operation in scenarios that are
+ currently not well supported. One example of such a scenario is
+ mobile hosts that change network attachment points. Such hosts,
+ maybe using Mobile IP [RFC3344], HIP [RFC4423], or transport-layer
+ mobility mechanisms [TCP_MOB], are only intermittently connected to
+ the Internet. In between connected periods, mobile hosts may
+ experience periods without end-to-end connectivity. Other factors
+ that can cause transient connectivity disruptions are high levels of
+ congestion or link or routing failures inside the network. In these
+ scenarios, a host may not know exactly when or for how long
+ connectivity disruptions will occur, but it might be able to
+ determine an increased likelihood for such events based on past
+ mobility patterns and thus benefit from using longer user timeouts.
+ In other scenarios, the time and duration of a connectivity
+ disruption may even be predictable. For example, a node in space
+ might experience connectivity disruptions due to line-of-sight
+ blocking by planetary bodies. The timing of these events may be
+ computable from orbital mechanics.
+
+2. Conventions
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+
+
+
+
+Eggert & Gont Standards Track [Page 3]
+
+RFC 5482 TCP User Timeout Option March 2009
+
+
+3. Operation
+
+ Use of the TCP User Timeout Option can be either enabled on a per-
+ connection basis, e.g., through an API option, or controlled by a
+ system-wide setting. TCP maintains four per-connection state
+ variables to control the operation of the UTO option, three of which
+ (ADV_UTO, ENABLED, and CHANGEABLE) are new:
+
+ USER_TIMEOUT
+ TCP's USER TIMEOUT parameter, as specified in [RFC0793].
+
+ ADV_UTO
+ UTO option advertised to the remote TCP peer. This is an
+ application-specified value, and may be specified on a system-wide
+ basis. If unspecified, it defaults to the default system-wide
+ USER TIMEOUT.
+
+ ENABLED (Boolean)
+ Flag that controls whether the UTO option is enabled for a
+ connection. This flag applies to both sending and receiving.
+ Defaults to false.
+
+ CHANGEABLE (Boolean)
+ Flag that controls whether USER_TIMEOUT (TCP's USER TIMEOUT
+ parameter) may be changed based on an UTO option received from the
+ other end of the connection. Defaults to true and becomes false
+ when an application explicitly sets USER_TIMEOUT.
+
+ Note that an exchange of UTO options between both ends of a
+ connection is not a binding negotiation. Transmission of a UTO
+ option is a suggestion that the other end consider adapting its user
+ timeout. This adaptation only happens if the other end of the
+ connection has explicitly allowed it (both ENABLED and CHANGEABLE are
+ true).
+
+ Before opening a connection, an application that wishes to use the
+ UTO option enables its use by setting ENABLED to true. It may choose
+ an appropriate local UTO by explicitly setting ADV_UTO; otherwise,
+ UTO is set to the default USER TIMEOUT value. Finally, the
+ application should determine whether it will allow the local USER
+ TIMEOUT to change based on received UTO options from the other end of
+ a connection. The default is to allow this for connections that do
+ not have specific user timeout concerns. If an application
+ explicitly sets the USER_TIMEOUT, CHANGEABLE MUST become false in
+ order to prevent UTO options (from the other end) from overriding
+ local application requests. Alternatively, applications can set or
+ clear CHANGEABLE directly through API calls.
+
+
+
+
+Eggert & Gont Standards Track [Page 4]
+
+RFC 5482 TCP User Timeout Option March 2009
+
+
+ Performing these steps before an active or passive open causes UTO
+ options to be exchanged in the SYN and SYN-ACK packets and is a
+ reliable way to initially exchange, and potentially adapt to, UTO
+ values. TCP implementations MAY provide system-wide default settings
+ for the ENABLED, ADV_UTO and CHANGEABLE connection parameters.
+
+ In addition to exchanging UTO options in the SYN segments, a
+ connection that has enabled UTO options SHOULD include a UTO option
+ in the first packet that does not have the SYN flag set. This helps
+ to minimize the amount of state information TCP must keep for
+ connections in non-synchronized states. Also, it is particularly
+ useful when mechanisms such as "SYN cookies" [RFC4987] are
+ implemented, allowing a newly-established TCP connection to benefit
+ from the information advertised by the UTO option, even if the UTO
+ contained in the initial SYN segment was not recorded.
+
+ A host that supports the UTO option SHOULD include one in the next
+ possible outgoing segment whenever it starts using a new user timeout
+ for the connection. This allows the other end of the connection to
+ adapt its local user timeout accordingly. A TCP implementation that
+ does not support the UTO option MUST silently ignore it [RFC1122],
+ thus ensuring interoperability.
+
+ Hosts MUST impose upper and lower limits on the user timeouts they
+ use for a connection. Section 3.1 discusses user timeout limits and
+ potentially problematic effects of some user timeout settings.
+
+ Finally, it is worth noting that TCP's option space is limited to 40
+ bytes. As a result, if other TCP options are in use, they may
+ already consume all the available TCP option space, thus preventing
+ the use of the UTO option specified in this document. Therefore, TCP
+ option space issues should be considered before enabling the UTO
+ option.
+
+3.1. Changing the Local User Timeout
+
+ When a host receives a TCP User Timeout Option, it must decide
+ whether to change the local user timeout of the corresponding
+ connection. If the CHANGEABLE flag is false, USER_TIMEOUT MUST NOT
+ be changed, regardless of the received UTO option. Without this
+ restriction, the UTO option would modify TCP semantics, because an
+ application-requested USER TIMEOUT could be overridden by peer
+ requests. In this case TCP SHOULD, however, notify the application
+ about the user timeout value received from the other end system.
+
+
+
+
+
+
+
+Eggert & Gont Standards Track [Page 5]
+
+RFC 5482 TCP User Timeout Option March 2009
+
+
+ In general, unless the application on the local host has requested a
+ specific USER TIMEOUT for the connection, CHANGEABLE will be true and
+ hosts SHOULD adjust the local TCP USER TIMEOUT (USER_TIMEOUT) in
+ response to receiving a UTO option, as described in the remainder of
+ this section.
+
+ The UTO option specifies the user timeout in seconds or minutes,
+ rather than in number of retransmissions or round-trip times (RTTs).
+ Thus, the UTO option allows hosts to exchange user timeout values
+ from 1 second to over 9 hours at a granularity of seconds, and from 1
+ minute to over 22 days at a granularity of minutes.
+
+ Very short USER TIMEOUT values can affect TCP transmissions over
+ high-delay paths. If the user timeout occurs before an
+ acknowledgment for an outstanding segment arrives, possibly due to
+ packet loss, the connection closes. Many TCP implementations default
+ to USER TIMEOUT values of a few minutes. Although the UTO option
+ allows suggestion of short timeouts, applications advertising them
+ should consider these effects.
+
+ Long USER TIMEOUT values allow hosts to tolerate extended periods
+ without end-to-end connectivity. However, they also require hosts to
+ maintain the TCP state information associated with connections for
+ long periods of time. Section 6 discusses the security implications
+ of long timeout values.
+
+ To protect against these effects, implementations MUST impose limits
+ on the user timeout values they accept and use. The remainder of
+ this section describes a RECOMMENDED scheme to limit TCP's USER
+ TIMEOUT based on upper and lower limits.
+
+ Under the RECOMMENDED scheme, and when CHANGEABLE is true, each end
+ SHOULD compute the local USER TIMEOUT for a connection according to
+ this formula:
+
+ USER_TIMEOUT = min(U_LIMIT, max(ADV_UTO, REMOTE_UTO, L_LIMIT))
+
+ Each field is to be interpreted as follows:
+
+ USER_TIMEOUT
+ USER TIMEOUT value to be adopted by the local TCP for this
+ connection.
+
+ U_LIMIT
+ Current upper limit imposed on the user timeout of a connection by
+ the local host.
+
+
+
+
+
+Eggert & Gont Standards Track [Page 6]
+
+RFC 5482 TCP User Timeout Option March 2009
+
+
+ ADV_UTO
+ User timeout advertised to the remote TCP peer in a TCP User
+ Timeout Option.
+
+ REMOTE_UTO
+ Last user timeout value received from the other end in a TCP User
+ Timeout Option.
+
+ L_LIMIT
+ Current lower limit imposed on the user timeout of a connection by
+ the local host.
+
+ The RECOMMENDED formula results in the maximum of the two advertised
+ values, adjusted for the configured upper and lower limits, to be
+ adopted for the user timeout of the connection on both ends. The
+ rationale is that choosing the maximum of the two values will let the
+ connection survive longer periods without end-to-end connectivity.
+ If the end that announced the lower of the two user timeout values
+ did so in order to reduce the amount of TCP state information that
+ must be kept on the host, it can close or abort the connection
+ whenever it wants.
+
+ It must be noted that the two endpoints of the connection will not
+ necessarily adopt the same user timeout.
+
+ Enforcing a lower limit (L_LIMIT) prevents connections from closing
+ due to transient network conditions, including temporary congestion,
+ mobility hand-offs, and routing instabilities.
+
+ An upper limit (U_LIMIT) can reduce the effect of resource exhaustion
+ attacks. Section 6 discusses the details of these attacks.
+
+ Note that these limits MAY be specified as system-wide constants or
+ at other granularities, such as on per-host, per-user, per-outgoing-
+ interface, or even per-connection basis. Furthermore, these limits
+ need not be static. For example, they MAY be a function of system
+ resource utilization or attack status and could be dynamically
+ adapted.
+
+ The Host Requirements RFC [RFC1122] does not impose any limits on the
+ length of the user timeout. However, it recommends a time interval
+ of at least 100 seconds. Consequently, the lower limit (L_LIMIT)
+ SHOULD be set to at least 100 seconds when following the RECOMMENDED
+ scheme described in this section. Adopting a user timeout smaller
+ than the current retransmission timeout (RTO) for the connection
+ would likely cause the connection to be aborted unnecessarily.
+ Therefore, the lower limit (L_LIMIT) MUST be larger than the current
+
+
+
+
+Eggert & Gont Standards Track [Page 7]
+
+RFC 5482 TCP User Timeout Option March 2009
+
+
+ retransmission timeout (RTO) for the connection. It is worth noting
+ that an upper limit may be imposed on the RTO, provided it is at
+ least 60 seconds [RFC2988].
+
+3.2. UTO Option Reliability
+
+ The TCP User Timeout Option is an advisory TCP option that does not
+ change processing of subsequent segments. Unlike other TCP options,
+ it need not be exchanged reliably. Consequently, the specification
+ does not define a reliability handshake for UTO option exchanges.
+ When a segment that carries a UTO option is lost, the other end will
+ simply not have the opportunity to update its local USER TIMEOUT.
+
+ Implementations MAY implement local mechanisms to improve delivery
+ reliability, such as retransmitting a UTO option when they retransmit
+ a segment that originally carried it, or "attaching" the option to a
+ byte in the stream and retransmitting the option whenever that byte
+ or its ACK are retransmitted.
+
+ It is important to note that although these mechanisms can improve
+ transmission reliability for the UTO option, they do not guarantee
+ delivery (a three-way handshake would be required for this).
+ Consequently, implementations MUST NOT assume that UTO options are
+ transmitted reliably.
+
+3.3. Option Format
+
+ Sending a TCP User Timeout Option informs the other end of the
+ connection of the current local user timeout and suggests that the
+ other end adapt its user timeout accordingly. The user timeout value
+ included in a UTO option contains the ADV_UTO value that is expected
+ to be adopted for the TCP's USER TIMEOUT parameter during the
+ synchronized states of a connection (ESTABLISHED, FIN-WAIT-1, FIN-
+ WAIT-2, CLOSE-WAIT, CLOSING, or LAST-ACK). Connections in other
+ states MUST use the default timeout values defined in [RFC0793] and
+ [RFC1122].
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Kind = 28 | Length = 4 |G| User Timeout |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ (One tick mark represents one bit.)
+
+ Figure 1: Format of the TCP User Timeout Option
+
+
+
+
+
+Eggert & Gont Standards Track [Page 8]
+
+RFC 5482 TCP User Timeout Option March 2009
+
+
+ Figure 1 shows the format of the TCP User Timeout Option. It
+ contains these fields:
+
+ Kind (8 bits)
+ This MUST be 28, i.e., the TCP option number [RFC0793] that has
+ been assigned by IANA (see Section 7).
+
+ Length (8 bits)
+ Length of the TCP option in octets [RFC0793]; its value MUST be 4.
+
+ Granularity (1 bit)
+ Granularity bit, indicating the granularity of the "User Timeout"
+ field. When set (G = 1), the time interval in the "User Timeout"
+ field MUST be interpreted as minutes. Otherwise (G = 0), the time
+ interval in the "User Timeout" field MUST be interpreted as
+ seconds.
+
+ User Timeout (15 bits)
+ Specifies the user timeout suggestion for this connection. It
+ MUST be interpreted as a 15-bit unsigned integer. The granularity
+ of the timeout (minutes or seconds) depends on the "G" field.
+
+3.4. Reserved Option Values
+
+ A TCP User Timeout Option with a "User Timeout" field of zero and a
+ "Granularity" bit of either minutes (1) or seconds (0) is reserved
+ for future use. Current TCP implementations MUST NOT send it and
+ MUST ignore it upon reception.
+
+4. Interoperability Issues
+
+ This section discusses interoperability issues related to introducing
+ the TCP User Timeout Option.
+
+4.1. Middleboxes
+
+ A TCP implementation that does not support the TCP User Timeout
+ Option MUST silently ignore it [RFC1122], thus ensuring
+ interoperability. In a study of the effects of middleboxes on
+ transport protocols, Medina et al. have shown that the vast majority
+ of modern TCP stacks correctly handle unknown TCP options [MEDINA].
+ In this study, 3% of connections failed when an unknown TCP option
+ appeared in the middle of a connection. Because the number of
+ failures caused by unknown options is small and they are a result of
+ incorrectly implemented TCP stacks that violate existing requirements
+ to ignore unknown options, they do not warrant special measures.
+ Thus, this document does not define a mechanism to negotiate support
+ of the TCP User Timeout Option during the three-way handshake.
+
+
+
+Eggert & Gont Standards Track [Page 9]
+
+RFC 5482 TCP User Timeout Option March 2009
+
+
+ Implementations may want to exchange UTO options on the very first
+ data segments after the three-way handshake to determine if such a
+ middlebox exists on the path. When segments carrying UTO options are
+ persistently lost, an implementation should turn off the use of UTO
+ for the connection. When the connection itself is reset, an
+ implementation may be able to transparently re-establish another
+ connection instance that does not use UTO before any application data
+ has been successfully exchanged.
+
+ Stateful firewalls usually time out connection state after a period
+ of inactivity. If such a firewall exists along the path, it may
+ close or abort connections regardless of the use of the TCP User
+ Timeout Option. In the future, such firewalls may learn to parse the
+ TCP User Timeout Option in unencrypted TCP segments and adapt
+ connection state management accordingly.
+
+4.2. TCP Keep-Alives
+
+ Some TCP implementations, such as those in BSD systems, use a
+ different abort policy for TCP keep-alives than for user data. Thus,
+ the TCP keep-alive mechanism might abort a connection that would
+ otherwise have survived the transient period without connectivity.
+ Therefore, if a connection that enables keep-alives is also using the
+ TCP User Timeout Option, then the keep-alive timer MUST be set to a
+ value larger than that of the adopted USER TIMEOUT.
+
+5. Programming and Manageability Considerations
+
+ The IETF specification for TCP [RFC0793] includes a simple, abstract
+ application programming interface (API). Similarly, the API for the
+ UTO extension in Section 3 is kept abstract. TCP implementations,
+ however, usually provide more complex and feature-rich APIs. The
+ "socket" API that originated with BSD Unix and is now standardized by
+ POSIX is one such example [POSIX]. It is expected that TCP
+ implementations that choose to include the UTO extension will extend
+ their API to allow applications to use and configure its parameters.
+
+ The MIB objects defined in [RFC4022] and [RFC4898] allow management
+ of TCP connections. It is expected that revisions to these documents
+ will include definitions of objects for managing the UTO extension
+ defined in this document.
+
+6. Security Considerations
+
+ Lengthening user timeouts has obvious security implications.
+ Flooding attacks cause denial of service by forcing servers to commit
+ resources for maintaining the state of throw-away connections.
+ However, TCP implementations do not become more vulnerable to simple
+
+
+
+Eggert & Gont Standards Track [Page 10]
+
+RFC 5482 TCP User Timeout Option March 2009
+
+
+ SYN flooding by implementing the TCP User Timeout Option, because
+ user timeouts exchanged during the handshake only affect the
+ synchronized states (ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT,
+ CLOSING, LAST-ACK), which simple SYN floods never reach.
+
+ However, when an attacker completes the three-way handshakes of its
+ throw-away connections, it can amplify the effects of resource
+ exhaustion attacks because the attacked server must maintain the
+ connection state associated with the throw-away connections for
+ longer durations. Because connection state is kept longer, lower-
+ frequency attack traffic, which may be more difficult to detect, can
+ already exacerbate resource exhaustion.
+
+ Several approaches can help mitigate this issue. First,
+ implementations can require prior peer authentication, e.g., using
+ IPsec [RFC4301] or TCP-MD5 [RFC2385], before accepting long user
+ timeouts for the peer's connections. (Implementors that decide to
+ use TCP-MD5 for this purpose are encouraged to monitor the
+ development of TCP-AO [AUTH_OPT], its designated successor, and
+ update their implementation when it is published as an RFC.) A
+ similar approach is for a host to start accepting long user timeouts
+ for an established connection only after in-band authentication has
+ occurred, for example, after a TLS handshake across the connection
+ has succeeded [RFC5246]. Although these are arguably the most
+ complete solutions, they depend on external mechanisms to establish a
+ trust relationship.
+
+ A second alternative that does not depend on external mechanisms
+ would introduce a per-peer limit on the number of connections that
+ may use increased user timeouts. Several variants of this approach
+ are possible, such as fixed limits or shortening accepted user
+ timeouts with a rising number of connections. Although this
+ alternative does not eliminate resource exhaustion attacks from a
+ single peer, it can limit their effects. Reducing the number of
+ high-UTO connections a server supports in the face of an attack turns
+ that attack into a denial-of-service attack against the service of
+ high-UTO connections.
+
+ Per-peer limits cannot protect against distributed denial-of-service
+ attacks, where multiple clients coordinate a resource exhaustion
+ attack that uses long user timeouts. To protect against such
+ attacks, TCP implementations could reduce the duration of accepted
+ user timeouts with increasing resource utilization.
+
+ TCP implementations under attack may be forced to shed load by
+ resetting established connections. Some load-shedding heuristics,
+ such as resetting connections with long idle times first, can
+ negatively affect service for intermittently connected, trusted peers
+
+
+
+Eggert & Gont Standards Track [Page 11]
+
+RFC 5482 TCP User Timeout Option March 2009
+
+
+ that have suggested long user timeouts. On the other hand, resetting
+ connections to untrusted peers that use long user timeouts may be
+ effective. In general, using the peers' level of trust as a
+ parameter during the load-shedding decision process may be useful.
+ Note that if TCP needs to close or abort connections with a long TCP
+ User Timeout Option to shed load, these connections are still no
+ worse off than without the option.
+
+ Finally, upper and lower limits on user timeouts, discussed in
+ Section 3.1, can be an effective tool to limit the impact of these
+ sorts of attacks.
+
+7. IANA Considerations
+
+ This section is to be interpreted according to [RFC5226].
+
+ This document does not define any new namespaces. IANA has allocated
+ a new 8-bit TCP option number (28) for the UTO option from the "TCP
+ Option Kind Numbers" registry maintained at http://www.iana.org.
+
+8. Acknowledgments
+
+ The following people have improved this document through thoughtful
+ suggestions: Mark Allman, Caitlin Bestler, David Borman, Bob Braden,
+ Scott Brim, Marcus Brunner, Wesley Eddy, Gorry Fairhurst, Abolade
+ Gbadegesin, Ted Faber, Guillermo Gont, Tom Henderson, Joseph Ishac,
+ Jeremy Harris, Alfred Hoenes, Phil Karn, Michael Kerrisk, Dan Krejsa,
+ Jamshid Mahdavi, Kostas Pentikousis, Juergen Quittek, Anantha
+ Ramaiah, Joe Touch, Stefan Schmid, Simon Schuetz, Tim Shepard, and
+ Martin Stiemerling.
+
+ Lars Eggert is partly funded by [TRILOGY], a research project
+ supported by the European Commission under its Seventh Framework
+ Program.
+
+ Fernando Gont wishes to thank Secretaria de Extension Universitaria
+ at Universidad Tecnologica Nacional and Universidad Tecnologica
+ Nacional/Facultad Regional Haedo for supporting him in this work.
+
+9. References
+
+9.1. Normative References
+
+ [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
+ RFC 793, September 1981.
+
+ [RFC1122] Braden, R., "Requirements for Internet Hosts -
+ Communication Layers", STD 3, RFC 1122, October 1989.
+
+
+
+Eggert & Gont Standards Track [Page 12]
+
+RFC 5482 TCP User Timeout Option March 2009
+
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
+ IANA Considerations Section in RFCs", BCP 26, RFC 5226,
+ May 2008.
+
+9.2. Informative References
+
+ [AUTH_OPT] Touch, J., Mankin, A., and R. Bonica, "The TCP
+ Authentication Option", Work in Progress, November 2008.
+
+ [MEDINA] Medina, A., Allman, M., and S. Floyd, "Measuring
+ Interactions Between Transport Protocols and
+ Middleboxes", Proc. 4th ACM SIGCOMM/USENIX Conference on
+ Internet Measurement, October 2004.
+
+ [POSIX] IEEE Std. 1003.1-2001, "Standard for Information
+ Technology - Portable Operating System Interface
+ (POSIX)", Open Group Technical Standard: Base
+ Specifications Issue 6, ISO/IEC 9945:2002, December 2001.
+
+ [RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP
+ MD5 Signature Option", RFC 2385, August 1998.
+
+ [RFC2988] Paxson, V. and M. Allman, "Computing TCP's Retransmission
+ Timer", RFC 2988, November 2000.
+
+ [RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344,
+ August 2002.
+
+ [RFC4022] Raghunarayan, R., "Management Information Base for the
+ Transmission Control Protocol (TCP)", RFC 4022,
+ March 2005.
+
+ [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
+ Internet Protocol", RFC 4301, December 2005.
+
+ [RFC4423] Moskowitz, R. and P. Nikander, "Host Identity Protocol
+ (HIP) Architecture", RFC 4423, May 2006.
+
+ [RFC4898] Mathis, M., Heffner, J., and R. Raghunarayan, "TCP
+ Extended Statistics MIB", RFC 4898, May 2007.
+
+ [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common
+ Mitigations", RFC 4987, August 2007.
+
+
+
+
+
+Eggert & Gont Standards Track [Page 13]
+
+RFC 5482 TCP User Timeout Option March 2009
+
+
+ [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
+ (TLS) Protocol Version 1.2", RFC 5246, August 2008.
+
+ [SOLARIS] Sun Microsystems, "Solaris Tunable Parameters Reference
+ Manual", Part No. 806-7009-10, 2002.
+
+ [TCP_MOB] Eddy, W., "Mobility Support For TCP", Work in Progress,
+ April 2004.
+
+ [TRILOGY] "Trilogy Project", <http://www.trilogy-project.org/>.
+
+Authors' Addresses
+
+ Lars Eggert
+ Nokia Research Center
+ P.O. Box 407
+ Nokia Group 00045
+ Finland
+
+ Phone: +358 50 48 24461
+ EMail: lars.eggert@nokia.com
+ URI: http://research.nokia.com/people/lars_eggert/
+
+
+ Fernando Gont
+ Universidad Tecnologica Nacional / Facultad Regional Haedo
+ Evaristo Carriego 2644
+ Haedo, Provincia de Buenos Aires 1706
+ Argentina
+
+ Phone: +54 11 4650 8472
+ EMail: fernando@gont.com.ar
+ URI: http://www.gont.com.ar/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eggert & Gont Standards Track [Page 14]
+